topic Re: Palo Alto Routing Issue (Forwarding Table) in General Topics

Palo Alto Routing Issue (Forwarding Table)

SecurityConsultant — Fri, 04 Aug 2017 20:09:03 GMT

Hello Everybody,

I have several PAs for branches, we have MPLS that is connecting all our branches. We are changing our design in order to use site-to-site IPsec tunnels from each branch to the HQ. And using OSPF in our tunnel to advertise our subnets, since we are connecting one site each week, we are still advertising the subnets via BGP until we finish all sites. I'm facing an issue with the routing and the forwarding table since i'm receiving the subnets via EBGP and OSPF and because EBGP has an AD 20 and OSPF has 30 the PA is using the EBGP. To overcome this problem i lowered the AD of OSPF to 18 to become less than the EBGP. Now all my traffic must go through the tunnel and not EBGP. However, i noticed once i ping from the branch to the HQ the traffic is passing through the tunnel which is good but from the HQ PA to the branch, the traffic is using the EBGP and not the tunnel which is not logical since also the OSPF AD is less than EBGP. Is this a bug with PA IOS 8.0? or is there another issue which i'm missing.

Re: Palo Alto Routing Issue (Forwarding Table)

OtakarKlier — Fri, 04 Aug 2017 21:20:29 GMT

Hello,

So you want all traffic to use the VPN instead of the MPLS and then remove MPLS correct? If yes, they you can utilize policy based forwarding at the remote sites until the MPLS is decommed. Also with the PBF if the VPN goes down, you have have it default back to MPLS.

Have a static route that points all traffic out via the MPLS.

Since PBF takes place prior to static routing, everything will go down the VPN via the PBF rule. If the IP in the Montior is unreachable, then the PBF is disabled and traffic will follow the static route you have defined to send down the MPLS

Once the VPN is available again, the monitor will notice and reenable the PBF so then all traffic will flow down the VPN path.

Additional detailed info:

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/80/pan-os/pan-os/sectio...

Let me know if you would like further details.

Cheers!

Re: Palo Alto Routing Issue (Forwarding Table)

SecurityConsultant — Sat, 05 Aug 2017 09:07:20 GMT

Hi,

Thanks for your reply,

I know we can use a lot of work around solutions like PBF and using two static routes with different metrics and monitoring. But i planned for this scenario with dynamic routing and i have to make it work without static routing. My thing is i forced the OSPF to have the priority by lowering its AD to 18 and make it less than EBGP and it's not working from one side. Why is it using the wrong forwarding path? i need to fix it.

Re: Palo Alto Routing Issue (Forwarding Table)

Remo — Sat, 05 Aug 2017 09:38:33 GMT

Hi @SecurityConsultant

You also lowered the AD of OSPF on the HQ and not only on the branches, right? If your forwarding table is absolutely correct on the HQ and the traffic still takes the wrong path, the best you can probably do is opening a TAC case...

(What exact version of PAN-OS 8 is installed on your firewalls?)

Regards,

Remo

Re: Palo Alto Routing Issue (Forwarding Table)

SecurityConsultant — Sat, 05 Aug 2017 09:47:29 GMT

yes, i also lowered the HQ OSPF AD. I'll proceed to open a case.

I'm using PA 8.0